Privacy Notice

Last update on 24.05.2018

1. General

The protection of your personal data and to process such data in a manner that complies with the applicable data protection requirements is of great importance to the Rail Cargo Group (“RCG” or “we”) - Rail Cargo Austria AG, 1100 Vienna, Am Hauptbahnhof 2, business register number FN 248731g and it´s susbsidiaries. This privacy notice explains how we, as the controller responsible for the processing, collect personal data relating to you and, if applicable, how we disclose and use such data as well as how you can exercise your rights as a data subject.

1.1 Please contact us via our data protection officer if you have any questions about our use of your personal data by sending an e-mail to datenschutz@railcargo.com.

Types of personal data

Purpose of collection

to answer, respectively to process, any of your notifications, complaints or service requests or notifications of lost cargo, which you have sent to us

to provide you with important information, e.g. new products

to invite you to any of our events, e.g. public events, exibitions

to organise any of our events

to invite you to participate in raffles

to conduct customer and other surveys on a voluntary basis

Customer details,which you have provided to us or which We require for the invoicing of our services, such as title, including academic and/or professional title(s), name, address, telephone number, e-mail-address, name of the company of the contact person specified by the customer, customer number, order data and data relating to the use of services, payment details of the customer

to initiate and manage a business relationship

to invoice our services

to invite you to customer events

to provide you with important information about our services

Supplier details, which you have provided to us as our contract partner in the course of the procurement process and the management of the contractual relationship, such as title, including academic and/or professional title(s), name, address, telephone number, e-mail-address, name of the company of the contact person specified by the supplier, payment details of the supplier

to initiate and manage a business relationship.

2.1.1 If we require any further personal data, we will inform you accordingly about the types and respective purposes of processing upon collection of such data

2.2 Personal data which we collect automatically, cookies and similar technolog

2.2.1 Please refer to our terms of use for our website regarding personal data, which we may collect in the course of your visit of our website or the use of cookies and similar technology.

2.2.2 The systems made available to your customers and business partners by RCG record system and application logs to the extent customary and only for the performance of any error analysis. Relevant personal data include the IP-address and, depending on the used system, the user’s browser, if applicable. The legal basis for the processing of such personal data is RCG’s legitimate interest in ensuring network and data security as well as the functioning of the systems which is not overridden by the interests or any fundamental rights and freedoms of the data subject (Art 6 para 1 lit f General Data Protection Regulation (“GDPR”).

2.3 Personal data obtained from external sources

2.3.1 From time to time, We may obtain personal data from external sources (such as personal data from publicly available registers, e.g. the business or land register, from any information published on your company’s or organisation’s website, or if you contact one of ÖBB’s group companies with any request/complaint forwarded to us by the respective group company). In this regard We will review whether such third parties have obtained your consent or are lawfully entitled or legally required to disclose any such personal data.

2.3.2 The types of personal data collected by us include personal data disclosed in public registers or your contact details obtained from other publicly available sources such as company websites. We will use the personal data received from such third parties for the following purposes:

to maintain and improve the accuracy of our records of your personal data,

to process any request/complaint relating to us.

3. Recipients of personal data

3.1 We may disclose personal data relating to you to the following categories of recipients:

3.1.1 to other group companies, processors and business partners performing data processing services on behalf of RCG or processing personal data in any other manner in connection with the purposes specified in this privacy notice, or any purposes notified to you at the time We collect your personal data. ÖBB-Business Competence Center GmbH, Erdberger Lände 40-48, 1030 Vienna, business register number FN 248730 f, a group company of ÖBB, is our main processor for IT-technology related services (e.g. operation of IT-systems, technical maintenance and troubleshooting). A list of the most important ÖBB group companies is provided under https://konzern.oebb.at/en/about-the-group/organization

3.1.2 to a competent enforcement authority, supervisory authority or public authority, a court or any other third party if the disclosure is required due (i) to applicable legal provisions, (ii) to exercise, protect or defend our legal rights, or (iii) to protect your or a third party’s material interests;

3.1.3 to a potential buyer (and its representatives and advisors) in connection with the intended acquisition, merger or takeover of our company (or a part thereof) subject to our notification of the purchaser that it shall only use your personal data in accordance with the purposes specified in this privacy notice.

3.1.4 to any other third party subject to your consent.

4. Legal basis for the processing of personal data

4.1 The relevant legal basis for the collection and processing of personal data depends on the particular context in which we collect such data.

4.2 In general, we only process personal data relating to you if you have given us your consent to process such data (Art 1 para 1 lit a GDPR), if We require the personal data to perform a contract We have entered into with you (Art 6 para 1 lit b GDPR), or if We have legitimate interests in the processing and such interests are not overridden by your interests or fundamental rights and freedoms (Art 6 para 1 lit f GDPR). In some cases, it may be necessary to process your personal data in order to comply with our legal obligations (Art 6 para 1 lit c GDPR), for example statutory obligations to keep certain personal data or in order to protect your or a third party’s vital interests (Art 6 para 1 lit d GDPR).

4.3 If we process your personal data based on any other legitimate interests not specified above (or any such interests of third parties), We will notify you accordingly of such legitimate interests in due time.

5. Retention of personal data

5.1 We keep personal data relating to you as long as this is required to achieve the respective purpose, or as long as there are any contractual or legal obligations or justified interests to retain such data (e.g. to perform the ordered services, to comply with legal obligations to retain certain personal data, or to establish any legal claims).

5.2 If the retention of personal data is no longer justified by legitimate purposes, such data will either be erased or anonymised. If it is not possible to erase or anonymise such personal data (for example if personal data relating to you have been stored in back-up archives), We will securely store such data and prevent any further processing until they can be erased.

6. Rights of data subjects

6.1 Subject to applicable law you are entitled to the following rights in relation to your personal data: access to personal data, rectification, erasure, restriction of processing or the right to object to the processing, the right to data portability as well as the right to lodge a complaint with a supervisory authority.

6.2 If we process your personal data based on your consent, you may withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of any processing prior to your withdrawal.

6.3 If personal data are processed for direct marketing purposes and such processing is not based on your consent, you may object to the processing for such purposes at any time. This also applies to any profiling to the extent it relates to such direct marketing measures.

6.4 In order to exercise your rights, please send us an e-mail to datenschutz@railcargo.com. We will review your request and reply accordingly.

6.5 Furthermore, you can unsubscribe from any marketing communication We may send to you. Please klick the respective link to unsubscribe provided in the respective marketing e-mail or cancel your subscription by sending an e-mail to the e-mail-address specified in such communication. In order to cancel any other types of marketing communication (e.g. via mail or telephone), please contact us by e-mail to datenschutz@railcargo.com

7. Amendments of this privacy notice

7.1 We may update this privacy notice from time to time to reflect legal, technical or business developments. We will take reasonable measures to inform you of any amendments of this privacy notice depending on their relevance. We will obtain your consent for any material amendment of this privacy notice to the extent required by applicable data protection legislation. The date of the “latest update” is the date stated at the beginning of this privacy notice.